Malware Analysis Report

2025-08-10 18:06

Sample ID 240507-h231nshc46
Target 399ad2d4276388eace22cfbb5ab5083a1ceb04ed268b539efaeab80750a992b2
SHA256 399ad2d4276388eace22cfbb5ab5083a1ceb04ed268b539efaeab80750a992b2
Tags
bootkit persistence spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

399ad2d4276388eace22cfbb5ab5083a1ceb04ed268b539efaeab80750a992b2

Threat Level: Likely malicious

The file 399ad2d4276388eace22cfbb5ab5083a1ceb04ed268b539efaeab80750a992b2 was found to be: Likely malicious.

Malicious Activity Summary

bootkit persistence spyware stealer

Blocklisted process makes network request

Executes dropped EXE

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Adds Run key to start application

Enumerates connected drives

Writes to the Master Boot Record (MBR)

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Program Files directory

Unsigned PE

Runs ping.exe

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-07 07:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-07 07:14

Reported

2024-05-07 07:17

Platform

win7-20240220-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\399ad2d4276388eace22cfbb5ab5083a1ceb04ed268b539efaeab80750a992b2.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\qczzp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\qczzp.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dotx = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\Program Files\\mumlltpsm\\dprgz.dll\",Verify" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files\mumlltpsm C:\Users\Admin\AppData\Local\Temp\qczzp.exe N/A
File created \??\c:\Program Files\mumlltpsm\dprgz.dll C:\Users\Admin\AppData\Local\Temp\qczzp.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2496 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\399ad2d4276388eace22cfbb5ab5083a1ceb04ed268b539efaeab80750a992b2.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\399ad2d4276388eace22cfbb5ab5083a1ceb04ed268b539efaeab80750a992b2.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\399ad2d4276388eace22cfbb5ab5083a1ceb04ed268b539efaeab80750a992b2.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\399ad2d4276388eace22cfbb5ab5083a1ceb04ed268b539efaeab80750a992b2.exe C:\Windows\SysWOW64\cmd.exe
PID 1320 wrote to memory of 2980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1320 wrote to memory of 2980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1320 wrote to memory of 2980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1320 wrote to memory of 2980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1320 wrote to memory of 3036 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\qczzp.exe
PID 1320 wrote to memory of 3036 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\qczzp.exe
PID 1320 wrote to memory of 3036 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\qczzp.exe
PID 1320 wrote to memory of 3036 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\qczzp.exe
PID 3036 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\qczzp.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 3036 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\qczzp.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 3036 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\qczzp.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 3036 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\qczzp.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 3036 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\qczzp.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 3036 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\qczzp.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 3036 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\qczzp.exe \??\c:\windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\399ad2d4276388eace22cfbb5ab5083a1ceb04ed268b539efaeab80750a992b2.exe

"C:\Users\Admin\AppData\Local\Temp\399ad2d4276388eace22cfbb5ab5083a1ceb04ed268b539efaeab80750a992b2.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\qczzp.exe "C:\Users\Admin\AppData\Local\Temp\399ad2d4276388eace22cfbb5ab5083a1ceb04ed268b539efaeab80750a992b2.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Users\Admin\AppData\Local\Temp\qczzp.exe

C:\Users\Admin\AppData\Local\Temp\\qczzp.exe "C:\Users\Admin\AppData\Local\Temp\399ad2d4276388eace22cfbb5ab5083a1ceb04ed268b539efaeab80750a992b2.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\Program Files\mumlltpsm\dprgz.dll",Verify C:\Users\Admin\AppData\Local\Temp\qczzp.exe

Network

Country Destination Domain Proto
US 110.34.196.36:803 tcp
US 110.34.196.36:803 tcp
US 110.34.196.34:3204 tcp
US 110.34.196.35:805 tcp
US 110.34.196.35:805 tcp
US 110.34.196.35:805 tcp
US 110.34.196.35:805 tcp
US 110.34.196.34:3204 tcp
US 110.34.196.34:3204 tcp
US 110.34.196.34:3204 tcp

Files

memory/2496-0-0x0000000000400000-0x0000000000464000-memory.dmp

memory/2496-2-0x0000000000400000-0x0000000000464000-memory.dmp

memory/3036-9-0x0000000000400000-0x0000000000464000-memory.dmp

memory/1320-8-0x0000000000190000-0x00000000001F4000-memory.dmp

memory/1320-7-0x0000000000190000-0x00000000001F4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qczzp.exe

MD5 4b0cbc710f0657e76ab511132d72dd8d
SHA1 4591d6db054ca9919f0d4e5fd66d9357eafd6b78
SHA256 ba2ba7b22d8229c188522b54d07ed3d6915e14e468fc5a1b879f1d8d7d4b7c35
SHA512 69486a98da468cf68945ca4baddff71acabd137a1628035bd5fd73ee45dcdd382713a214faa0518c4d9262f8b044c46d74986fceec4d03c668fa53e28dcb0432

\Program Files\mumlltpsm\dprgz.dll

MD5 eee605772987be435566d9b7461ad9cc
SHA1 e5ecf62c599adb531da370d2914b26ac07c75be2
SHA256 cc1c04aabd0dba7572a55f052a077190846a60b91200e47a38b5f56fe9f6a0be
SHA512 8e079d14926e31a907f3fd110c71c208a0017a495c284254e57f4e39204ba8aa2c5b26bb1e020bde712260bcba7c47e4c40c4ea440c8a3f07a643bc952688260

memory/2672-21-0x0000000010000000-0x0000000010080000-memory.dmp

memory/2672-20-0x0000000010000000-0x0000000010080000-memory.dmp

memory/2672-19-0x0000000010000000-0x0000000010080000-memory.dmp

memory/2672-18-0x0000000010000000-0x0000000010080000-memory.dmp

memory/2672-17-0x0000000010000000-0x0000000010080000-memory.dmp

memory/3036-11-0x0000000000400000-0x0000000000464000-memory.dmp

memory/2672-23-0x0000000010000000-0x0000000010080000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-07 07:14

Reported

2024-05-07 07:17

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\399ad2d4276388eace22cfbb5ab5083a1ceb04ed268b539efaeab80750a992b2.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\qmjqd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\qmjqd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dotx = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\Program Files\\fhuqy\\sdsvt.dll\",Verify" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\Program Files\fhuqy\sdsvt.dll C:\Users\Admin\AppData\Local\Temp\qmjqd.exe N/A
File opened for modification \??\c:\Program Files\fhuqy C:\Users\Admin\AppData\Local\Temp\qmjqd.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 812 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\399ad2d4276388eace22cfbb5ab5083a1ceb04ed268b539efaeab80750a992b2.exe C:\Windows\SysWOW64\cmd.exe
PID 812 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\399ad2d4276388eace22cfbb5ab5083a1ceb04ed268b539efaeab80750a992b2.exe C:\Windows\SysWOW64\cmd.exe
PID 812 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\399ad2d4276388eace22cfbb5ab5083a1ceb04ed268b539efaeab80750a992b2.exe C:\Windows\SysWOW64\cmd.exe
PID 2788 wrote to memory of 396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2788 wrote to memory of 396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2788 wrote to memory of 396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2788 wrote to memory of 3944 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\qmjqd.exe
PID 2788 wrote to memory of 3944 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\qmjqd.exe
PID 2788 wrote to memory of 3944 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\qmjqd.exe
PID 3944 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\qmjqd.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 3944 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\qmjqd.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 3944 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\qmjqd.exe \??\c:\windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\399ad2d4276388eace22cfbb5ab5083a1ceb04ed268b539efaeab80750a992b2.exe

"C:\Users\Admin\AppData\Local\Temp\399ad2d4276388eace22cfbb5ab5083a1ceb04ed268b539efaeab80750a992b2.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\qmjqd.exe "C:\Users\Admin\AppData\Local\Temp\399ad2d4276388eace22cfbb5ab5083a1ceb04ed268b539efaeab80750a992b2.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Users\Admin\AppData\Local\Temp\qmjqd.exe

C:\Users\Admin\AppData\Local\Temp\\qmjqd.exe "C:\Users\Admin\AppData\Local\Temp\399ad2d4276388eace22cfbb5ab5083a1ceb04ed268b539efaeab80750a992b2.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\Program Files\fhuqy\sdsvt.dll",Verify C:\Users\Admin\AppData\Local\Temp\qmjqd.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 96.136.73.23.in-addr.arpa udp
GB 23.73.138.57:443 www.bing.com tcp
US 110.34.196.36:803 tcp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.138.73.23.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 110.34.196.34:3204 tcp
US 110.34.196.35:805 tcp
US 110.34.196.35:805 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 110.34.196.35:805 tcp
US 110.34.196.34:3204 tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 52.111.227.11:443 tcp
US 110.34.196.34:3204 tcp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 110.34.196.34:3204 tcp

Files

memory/812-0-0x0000000000400000-0x0000000000464000-memory.dmp

memory/812-2-0x0000000000400000-0x0000000000464000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qmjqd.exe

MD5 9382de433d754d7bf90606ab0e4f9e10
SHA1 a0dc6a85094427c96247231db9e3bc37086d31ad
SHA256 d7cb5c8d8bdc984438a50a0021a6c031f6fb8dd160ea7954c377d98da2e81f93
SHA512 87388127e3bf2ce3dca7828e5671241b25f2630ebbf856304acd468f6e4802e13222e7aa75bca7c5b4a170855df99f93c4dff9d6bba699f5342193e4753c9622

memory/3944-6-0x0000000000400000-0x0000000000464000-memory.dmp

memory/3944-8-0x0000000000400000-0x0000000000464000-memory.dmp

C:\Program Files\fhuqy\sdsvt.dll

MD5 5dc74511078ee7d135e0f8c57882dc8f
SHA1 c0ef43cc42219f96e3765cd6d4be3f09058104ff
SHA256 5fef57ac37033bd49f0a2d7a21e6aa09e20ff8f7c2686c9b18027b24e40286a4
SHA512 7ed27c0d5e44f3f2cd7819ef533ca8f3052245ce1053f0f512d6b3e90eb34817dfc27dc18ec21e3d89a6a261d63179b85be7a173166600e8d07903042439dbdc

memory/2000-11-0x0000000010000000-0x0000000010080000-memory.dmp

memory/2000-12-0x0000000010000000-0x0000000010080000-memory.dmp

memory/2000-14-0x0000000010000000-0x0000000010080000-memory.dmp